[866] in cryptography@c2.net mail archive
Re: Proxy Cryptography draft available
daemon@ATHENA.MIT.EDU (David Wagner)
Tue May 20 09:33:02 1997
To: cryptography@c2.net
From: daw@cs.berkeley.edu (David Wagner)
Date: 19 May 1997 23:49:19 -0700
In article <199705132237.SAA16530@nsa.research.att.com>,
Matt Blaze <mab@research.att.com> wrote:
> This paper introduces {\em proxy cryptography,} in which a {\em
> proxy function,} in conjunction with a public {\em proxy key,}
> converts ciphertext (messages in a public key encryption scheme or
> signatures in a digital signature scheme) for one key ($k_1$) into
> ciphertext for another ($k_2$).
The paper describes how to do proxy encryption with an ad-hoc El Gamal-like
public key cipher. Here's how to do proxy crypto with standard El Gamal.
To encrypt a message m to the public key g^a using El Gamal, you choose x
randomly and send the ciphertext
Sender -> Alice: m g^{ax}, g^x.
To convert that to a ciphertext for the public key g^b, Alice should raise
the second component of the ciphertext to the power a b^{-1} mod p-1, and
send the resulting ciphertext to Bob:
Alice -> Bob: m g^{ax}, g^{x a b^{-1}}
Note that when Bob decrypts using El Gamal and his private key b, he
recovers the original message m, as
m g^{ax} (g^{x a b^{-1}})^{-b} = m g^{ax} g^{-ax} = m.
The proxy private key is a b^{-1} mod p-1, of course. El Gamal is clearly
as secure as Diffie-Hellman; the proxy-ified version I presented above is
too, assuming phi(p-1) is publicly known. (In practice, you'll want q | p-1,
q prime, g of order q; and you'll want to replace the first component of the
ciphertext with the triple-DES encryption of m under key g^{ax}.)
